dns

Defines DNS records in a centralized TypeScript configuration file (src/config/records.ts) using strongly-typed objects that declare all domains, subdomains, and record types (A, CNAME, MX, TXT, SPF, DKIM, DMARC) for modelcontextprotocol.io, .net, and .org. The configuration separates record declaration from provisioning logic, enabling peer review and version control of infrastructure changes before deployment. TypeScript's type system validates record structure at compile time, preventing invalid configurations from reaching the provisioning stage.

Orchestrates DNS record creation and updates through Pulumi's resource model, which reads the TypeScript configuration and generates Cloudflare API calls to provision records across three domains. The provisioning engine (src/dns.ts) iterates through the DNS_RECORDS configuration, creates Pulumi resources for each record, and manages state through Google Cloud Storage, ensuring idempotent deployments where re-running the same configuration produces no changes if infrastructure is already in sync. Pulumi's state backend enables consistent deployments across CI/CD runners and local environments.

Generates a preview of proposed DNS changes before applying them to production by running `make preview`, which executes `pulumi preview` against the current configuration and compares it against the state stored in Google Cloud Storage. The preview output shows exactly which records will be created, modified, or deleted, enabling developers to catch unintended changes before they reach the production Cloudflare account. This capability integrates with GitHub Actions to automatically generate previews on pull requests, allowing peer review of DNS changes before merge.

Executes DNS provisioning automatically when code is merged to the main branch through GitHub Actions workflows that run `pulumi up` in a CI/CD environment. The workflow authenticates to Google Cloud Storage for state management, decrypts the Pulumi stack passphrase from secrets, and applies DNS changes to Cloudflare without manual intervention. This capability ensures that all DNS changes are deployed consistently through the same pipeline, with full audit logging of who merged the code and when changes were applied.

Manages DNS records across three domains (modelcontextprotocol.io, .net, .org) with records routed to different services: Vercel for web hosting (root and spec subdomains), Google Workspace for email/productivity (MX, SPF, DKIM, DMARC), GitHub Pages for documentation, and Google Cloud Platform for registry services. The configuration structure organizes records by domain and service, enabling clear visibility of which subdomains point to which services. This capability handles the complexity of coordinating multiple third-party services' DNS requirements in a single configuration file.

Provides convenient Make targets (make preview, make deploy, make validate) that wrap Pulumi CLI commands and authentication steps, reducing the cognitive load on developers who may not be familiar with Pulumi internals. The Makefile abstracts away the complexity of Pulumi stack selection, state backend authentication, and secret decryption, allowing developers to run `make preview` instead of remembering the full Pulumi command syntax. This capability enables non-infrastructure engineers to safely interact with DNS infrastructure through simple, documented commands.

Stores Pulumi stack state in Google Cloud Storage (mcp-dns-prod bucket) rather than locally, enabling consistent deployments across multiple environments (local developer machines, CI/CD runners) without state file synchronization issues. The external state backend is accessed through gcloud authentication, which is configured via `gcloud auth application-default login`. This approach ensures that all deployments see the same infrastructure state, preventing divergence where different environments have different views of what DNS records exist.

Organizes infrastructure deployments into Pulumi stacks (mcp-dns-prod for production) that isolate configuration and secrets per environment. Stack secrets are encrypted and stored in Pulumi.yaml, with the decryption passphrase (passphrase.prod.txt) managed separately and distributed to CI/CD runners through GitHub Actions secrets. This capability enables different environments (development, staging, production) to have different DNS configurations and credentials without sharing secrets across environments.

Compiles TypeScript source files (src/config/records.ts, src/dns.ts, src/index.ts) to JavaScript using tsc, with strict type checking enabled to catch configuration errors at compile time. The build process validates that DNS records conform to the expected TypeScript schema, preventing invalid configurations from reaching the provisioning stage. Pre-commit hooks (via pre-commit framework) run linting and formatting checks before commits, ensuring code quality and consistency across the repository.